The Minister for Communications, Denis Naughten, has confirmed that plans to appoint a Digital Safety Commissioner for Ireland (DSC) will go ahead in 2018. The DSC will act as an ‘Internet regulator’, with powers of enforcement and responsibility for a ‘notice and takedown’ regime, to ensure the online safety of Internet users.

The proposal for a DSC is contained in a Report from the Law Reform Commission (LRC) on Harmful Communications and Digital Safety, which also contains a draft legislative proposal. The LRC has recommended that the scope of regulation by the DSC should include all ‘digital service undertakings’, which would be defined very broadly to cover intermediary service providers, internet service providers, internet intermediaries, online intermediaries, online service providers, search engines, social media platforms and websites and telecommunications undertakings.

The DSC mechanism is partially inspired by the systems in place in Australia and New Zealand, which have specific timelines linked to the obligation to unlawful material, with removal generally being required within 48 hours. In Ireland, under the current LRC proposals, the DSC will be mandated to develop a national Code of Practice for Take Down procedure, which would contain detailed and practical guidance on the procedure for ‘takedowns’, a requirement that the takedown procedure is made available free of charge and timelines within which offending materials should be removed.

It should be noted that the Australian and New Zealand regimes were implemented on a somewhat blank legislative canvas. Any proposal in Ireland must be compliant with the overarching requirements of the eCommerce Directive (which does not contain mandatory timelines, but requires internet intermediaries to ‘act expeditiously’ or risk losing its legal immunity). It remains to be seen whether an additional layer of Irish regulation on tech and Internet companies would have any impact on Ireland’s international reputation as an attractive place to do business.

An Taoiseach Leo Varadkar had previously indicated that Government plans to appoint a DSC were ‘on hold’, however, he has since clarified that he may have ‘mis-spoken’.

The Department of Communications has organised an open digital safety forum on March 8 at the Royal Hospital Kilmainham involving Gardaí, Interpol, NGOs, state bodies and parents groups. We await further detail on this proposal.

On 26 July 2017 the Court of Justice of the European Union (CJEU) delivered its Opinion that the draft Passenger Name Record (PNR) Agreement between the EU and Canada is not compatible with the EU Charter of Fundamental Rights (the Charter) and may not be concluded in its current form. The Opinion follows a referral by the European Parliament to the CJEU and is the first time the Court has been requested to examine the compatibility of an international agreement with the EU Charter.

The Court observed that the Charter rights are not absolute, and that an agreement allowing for the transfer and retention of data to ensure public security would be capable of justifying even serious interference with fundamental rights such as privacy and personal data protection. Any such interference should, however, be (1) proportionate, (2) strictly necessary and (3) guided by clear and precise rules governing its scope and application. The transfer of sensitive data would also require a precise and solid justification in addition to that of public security and the Court concluded that in this instance, there was no such justification.

Retention of Data

The envisaged Agreement provided that PNR data may be retained by Canada for five years after receipt of such data. The Court observed that the retention of data for the duration of a visitor’s stay in Canada did not exceed the limits of what is strictly necessary, but noted that as PNR data would be used as part of the verification process to grant entry into the territory, subsequent use of that data would require fresh justification by way of new circumstances or objective evidence. The Court suggested that except in cases of valid urgency, any decision by Canadian authorities to use PSN data after entry has been granted should be subject to prior review by a court or independent body. The retention of data after departure from Canada should also be limited to air passengers only when there is objective evidence available inferring a terrorism or crime risk.

The Court declared that as a number of other provisions were vague and did not adequately address the processing of PNR data in a clear and precise manner, it was not satisfied that the Agreement in its current form was compatible with the Charter.

The Article 29 Working Party (WP29) has recently provided its Opinion 2/2017 on data processing at work. The Opinion, adopted on 8 June 2017, highlights the risks and challenges of processing employees’ personal data in light of new technologies. While the Opinion focuses on the current data protection regime, it also considers some of the obligations arising under the General Data Protection Regulation (GDPR) from 25 May 2018.

The Opinion emphasises that despite a proliferation of new and affordable technologies that facilitate both covert and overt surveillance, fundamental principles of data protection will continue to apply. These principles include:

the satisfaction of a legal basis to process under Article 7 of the DPD;

whether the processing activity is both necessary and fair to the employee;

whether the processing activity is proportionate; and

whether the processing activity is transparent.

The WP29 reiterate that due to the imbalance between employer and employee, consent as a legal basis of processing will not be satisfactory for the majority of data processing at work. In some cases, the employer will be able to rely on contractual necessity to process personal data (such as paying the employee). The imposition of legal obligations (such as for the purpose of tax calculation) will also constitute a valid legal basis for processing. In order to rely on legitimate interests to legitimise data processing, the technology or method utilised must be necessary, proportionate and carried out in the least intrusive manner possible.

The WP29 emphasise that regardless of the legal basis for processing, a proportionality test should be undertaken prior to its commencement to consider whether the processing is necessary to achieve a legitimate purpose, as well as ensuring that any measures infringing the right to private life and secrecy of communications are limited to a minimum. This can form part of a Data Protection Impact Assessment (DPIA).

GDPR

The WP29 comment that the GDPR requires the most privacy friendly settings to be provided as default when an employer issues a device to an employee. The GDPR also requires a DPIA to be carried out when processing is likely to result in a high risk to the rights and freedoms of employees, particularly when using new technologies. The employer must consult the supervisory authority prior to processing if these risks cannot be adequately addressed. The WP29 Opinion considers a number of data processing at work scenarios in which new technologies have the potential to result in high risks to the privacy of employees. In all such cases the WP29 highlight that the employer must consider whether the proposed processing is: (i) necessary, and if so the legal grounds that apply; (ii) fair to employees; (iii) proportionate to the concerns raised; and (iv) transparent.

The Court of Justice of the European Union (CJEU) has handed down a reference for a preliminary ruling in Case C-610/15 (Stichtin Brein v Ziggo BV, XS4ALL Internet BV), holding that making available and managing an online platform for sharing copyright-protected works may constitute an infringement of copyright.

The case was brought by a Dutch anti-piracy group Stichtin Brein against two internet service providers and was referred to the CJEU by the Supreme Court of the Netherlands to seek clarification on a point of EU law.

The CJEU considered whether an internet sharing platform, such as ‘The Pirate Bay’, which makes available and manages the indexation of metadata relating to copyrighted works, was providing ‘communication to the public’ of copyrighted materials within the meaning of Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society. It was noted that although copyrighted material was placed online by users and not by the operators of ‘The Pirate Bay’, by indexing files to allow users locate and share protected works, it played “an essential role in making the works in question available.”

It was also noted that although ‘The Pirate Bay’ does not host content, it provides a torrent search engine, classifying files under different categories and providing access to protected material “with full knowledge of the consequences of their conduct.”

The case will now return to the Dutch courts for final determination on the issue, but the ruling strengthens the position of copyright holders throughout the EU who wish to hold online sharing platforms accountable.

The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.

In Rolf Anders Daniel Pihl v Sweden, the European Court of Human Rights (ECHR) agreed with Swedish authorities that a non-profit association was not liable for anonymous defamatory comments posted on its blog. The ECHR held that the Swedish authorities’ refusal to hold the owner of the blog liable for the anonymous defamatory online comment did not violate the European Convention on Human Rights (the Convention).

The Department of Justice and Equality have published a policy document on amending the law relating to the interception of communications. The purpose of interception legislation is to assist in the fight against organised crime and to protect the security of the State.

Irish legislation relating to interception is out-of-date and needs to be amended to provide for lawful interception of email and other forms of communication over the internet. Interception is controlled, to a limited extent, by the Postal and Telecommunications Services Act 1983, and the Interception of Postal Packets and Telecommunications (Regulation) Act 1993. That legislation is restricted to Telecoms and Postal Service providers (i.e. voice calls, text messages and postal packets).

The Government intends to introduce approximately 50 amendments to the current regime, with the primary aim of ensuring that communications services delivered over the internet are covered by our lawful interception legislation. Accordingly, the definition of “information society services” will be amended to cover “internet referencing services, social media“, and “any other entity providing a publicly available means of communication over an electronic communications network.” The definition of “interception” will also be amended to reflect modern communications characteristics. It will essentially be “an action, the effect of which is to make some or all of the content of a communication available to a person“.

The High Court in Muwema v Facebook Ireland Ltd [2016] IEHC 519 held that Facebook had no duty to remove defamatory content posted by an anonymous third party. Justice Binchy did, however, make a Norwich Pharmacal order requiring Facebook to disclose the identity and location of the person operating the page involved.

An Advocate General of the CJEU has expressed his opinion that operators of a free Wi-Fi service, who offer that service to the public, will be protected by the mere conduit defence under the E-Commerce Directive and will therefore not be liable for copyright infringement committed by users of that network. Advocate General Szpunar has published his opinion in response to a series of questions posed to the CJEU in Case C-484/14 Tobias McFadden v Sony Music Entertainment Germany GmbH. The case came about following an illegal download of a musical work in 2010, which prompted Sony to bring an action for damages and injunctive relief against Mr. McFadden – the operator of a business selling and renting lighting and sound systems near Munich which offered the free Wi-Fi network accessible to the public (over which the music work was unlawfully downloaded).

The High Court in the UK has again endorsed the use of predictive coding, ruling it as being the most appropriate and proportionate approach to disclosure despite disagreement between the parties surrounding its use. In a previous blog, we outlined how the UK High Court in the Pyrrho case ruled that predictive coding was appropriate to discharge a parties obligations regarding electronic disclosure.

In the most recent judgment, (yet to be published), the concept of using predictive coding in a disclosure exercise was strongly contested. Berwin Leighton Paisner acting for the respondent note that the petitioner’s solicitors wished to adopt a “traditional” approach to document review, where the inboxes of an agreed a list of custodians would be filtered using an agreed list of search terms, and the responsive documents would be subject to a manual review. It was put to the court that the costs of the traditional approach would be excessive, and that superior results could be achieved at a more proportionate cost using predictive coding.